Jump to content

Recommended Posts

After applying updates to my computer overnight, each time I reboot, I am getting the warning below from Malwarebytes. It has occurred with each of two reboots, but I've never seen it before (i'll admit that I only reboot about once per week, unless updates are being installed though). No filename listed as you can see below. Doesn't seem to recur after the reboot, even if the computer remains on for hours and engaging in normal activity. Unclear if this is related to the most recent windows update, but I'm having no other problems, and full MWB scans are coming back clean. Happy to provide any additional logs requested.

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/16/19
Protection Event Time: 11:18 AM
Log File: 6141610c-19aa-11e9-9acc-847beb2bb294.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.508
Update Package Version: 1.0.8818
License: Premium

-System Information-
OS: Windows 10 (Build 17134.523)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Windows Script Host
Protection Layer: Malicious Memory Protection
Protection Technique: Exploit code executing from Heap memory blocked
File Name: 
URL: 

 

(end)

 

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions


 

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings
===

If the problem persists and you are Syncing Firefox it with other Devices remove it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.

Keep me posted.

Link to post
Share on other sites

Hi,


Sorry about that, my mistake.

p.s.
This program is installed by I'm seeing some error in your Addition.txt log.
Audacity 2.1.3 (HKLM-x32\...\Audacity®_is1) (Version: 2.1.3 - Audacity Team)

You may have to reinstall it or remove more it completely.
To remove  via the Control Panel > Programs > Programs and Features.

 I have also determined that signing out and signing back in to my profile also elicits the exploit pop up. As long as I stay signed in...l no problems.

These are the profiles in shown in your Addition.txt log.
Administrator (S-1-5-21-4106294062-4130048709-2438025359-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-4106294062-4130048709-2438025359-503 - Limited - Disabled)
Guest (S-1-5-21-4106294062-4130048709-2438025359-501 - Limited - Disabled)
somits (S-1-5-21-4106294062-4130048709-2438025359-1001 - Administrator - Enabled) => C:\Users\somits
WDAGUtilityAccount (S-1-5-21-4106294062-4130048709-2438025359-504 - Limited - Disabled)

Which one is compromised.
I see the your logs are Ran by DASCHUL but I do not see it in the list.

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.